Officials at Oslo, Norway-based Hydro said the attack began Monday and escalated throughout the evening, affecting multiple business areas globally. The company's operations span 50 countries; it has approximately 35,000 employees.

In a Tuesday press conference, company officials said they plan to restore affected systems using recent backups. The company is still working to identify and fully eradicate the virus.

"Let me be clear: The situation for Hydro is quite severe," Hydro CFO Eivind Kallevik said. "The entire worldwide network is down, affecting our production as well as our office operations. We are working hard to contain and solve the situation and to ensure safety and security of our employees."

Bente Hoff, a director of cybersecurity in the Norwegian National Security Authority, said the ransomware may be a strain known as LockerGoga.

"We are helping Hydro in this," she said at the press conference, adding that her authority was working with Norway's National Criminal Investigation Service - a special agency of the Norwegian Police Service known as Kripos - as well as the country's intelligence services.

Hydro, which is the second largest business in Norway, says the full extent of the attack remains unclear, but it says all affected plants have been isolated from the global network.

Cyberattack Warning

The press conference followed the company issuing a warning earlier Tuesday that it had suffered a cyberattack.

"Hydro has been subject to an extensive cyberattack, impacting operations in several of the company's business areas," the company said in a statement issued via Facebook.

"Around midnight [Tuesday], Norwegian time, our IT experts noticed unusual activity on our servers within our global IT systems," Kallevik said. As the attack was spreading, the company's internal IT team worked rapidly to attempt to contain the damage, he added. "This virus is a so-called encryption virus, also commonly known as a ransom virus or ransom attack."

The company said it plans to wipe and restore affected systems using backups. "We have good backup solutions and good routines for that in the company, and that is the main target for how we will get the operations back to normal is to reinstall the data we have from the last backup data, and that is recent," Kallevik said.

As of Tuesday, Norsk Hydro's website remained offline. The company has been using Facebook to communicate.

Kallevik said Hydro carries cyber insurance.

Infections Isolated

The company said all affected plants' IT networks have been isolated.

"Hydro has isolated all plants and operations and is switching to manual operations and procedures as far as possible," including for some aluminum-producing smelters, the company explained. "Hydro's main priority is to continue to ensure safe operations and limit operational and financial impact. The problem has not led to any safety-related incidents."

Running more operations manually, the company said, means having to bring on more workers at once, as it did until several years ago, until it put more automated operations into place.

"IT systems are impacted and Hydro is switching to manual operations where possible," the company reported on Tuesday.

Hydro said it's producing orders based on printouts of the orders that it already made and that it has sufficient information to fulfill at least the orders it was planning to produce Tuesday.

Hydro said all energy production and bauxite and alumina production is running normally. For its primary metal production, it said all plants in Norway as well as remelters are continuing to run normally, albeit "with [a] higher degree of manual operations," while all other primary plants abroad remain unaffected.

For the company's extruded solutions and rolled products, a "lack of ability to connect to the production systems is causing production challenges and temporary stoppage at several plants," it reported

Hydro said the situation is continuing to evolve. "Hydro is working to contain and neutralize the attack but does not yet know the full extent of the situation. It is too early to indicate the operational and financial impact, as well as timing to resolve the situation," it said. "Hydro is doing its utmost to limit the impact on customers."

Life After NotPetya

The attack against Hydro appears to mirror in some ways the outbreak of NotPetya malware in 2017. More than 12,000 organizations across at least 65 countries were affected by the outbreak, which crypto-locked their systems. But there appeared to be no way to decrypt affected devices.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.